FS#70822 - [libxml2] [security] CVE-2021-3537

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Wednesday, 12 May 2021, 15:52 GMT
Last edited by Antonio Rojas (arojas) - Saturday, 15 May 2021, 09:26 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Jan de Groot (JGC)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


Attached diff adds an upstream patch for CVE-2021-3537 to the libxml2 package.

Additional info:
Switching to git master might be worth considering if they won't make a release with all these fixes...

This task depends upon

Closed by  Antonio Rojas (arojas)
Saturday, 15 May 2021, 09:26 GMT
Reason for closing:  Fixed
Additional comments about closing:  libxml 2.9.12-1
Comment by Jonas Witschel (diabonas) - Wednesday, 12 May 2021, 16:18 GMT
I'll note that there are several more open CVEs (CVE-2021-3516, CVE-2021-3517, CVE-2021-3518) in libxml2, the corresponding commits for fixing them are as follows:

https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539 # CVE-2021-3516
https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 # CVE-2021-3517
https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7 # CVE-2021-3518
Comment by T.J. Townsend (blakkheim) - Wednesday, 12 May 2021, 16:46 GMT
I tried to make an updated diff but 1098c30a040e72a4654968547f415be4e4c40fe7 does not apply cleanly.

There was another null deference fix just two days ago:


My suggestion is now to just use the master branch until a release is cut, which this v2 diff does.
Comment by T.J. Townsend (blakkheim) - Thursday, 13 May 2021, 22:05 GMT
This can be closed now.